Morpheus

It appears all that is needed is to add each of the rules file into the enablesid.conf file? If I remember right there is a global way to do this without having to add a list of rules? Thanks...

Ok, thanks. I have added both protocols to the modder.vbs file that will activate on the first reboot. igmp 2 IGMP # Internet Group Management Protocol stcp 132 SCTP # Stream Control Transmission Protocol   Can you post your enablesid.conf that enables all the rules?

It's been here for a very long time and just works for basic purposes. I think Windows will now actually allow email notifications as part of its core functions for triggered events.  You might try looking at this I'm sure there are a few way to go this. Search for sending email alerts on windows events. The above should do the trick, or possibly something similar. Let me know if this helps and it could be a good alternative to the existing way its documented.  

I'm not real sure about these items as I haven't used PP in a very long time. I usually pull it up when something goes wrong to fix. 1) You are saying that running the test for Snort 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' produces this error: I ran the test (d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T) and am not seeing this error? You said there is something missing in the 'C:\Windows\System32\drivers\etc\protocol' file: Here is the file: # Copyright (c) 1993-2006 Microsoft Corp. # # This file contains the Internet protocols as defined by various # RFCs. See http://www.iana.org/assignments/protocol-numbers # # Format: # # <protocol name> <assigned number> [aliases...] [#<comment>] ip 0 IP # Internet protocol icmp 1 ICMP # Internet control message protocol ggp 3 GGP # Gateway-gateway protocol tcp 6 TCP # Transmission control protocol egp 8 EGP # Exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # User datagram protocol hmp 20 HMP # Host monitoring protocol xns-idp 22 XNS-IDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol ipv6 41 IPv6 # Internet protocol IPv6 ipv6-route 43 IPv6-Route # Routing header for IPv6 ipv6-frag 44 IPv6-Frag # Fragment header for IPv6 esp 50 ESP # Encapsulating security payload ah 51 AH # Authentication header ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6 ipv6-nonxt 59 IPv6-NoNxt # No next header for IPv6 ipv6-opts 60 IPv6-Opts # Destination options for IPv6 rvd 66 RVD # MIT remote virtual disk What exactly needs to be added? igmp 2 IGMP # Internet Group Management Protocol It this something that should be included? I can automatically search the 'C:\Windows\System32\drivers\etc\protocol' file when the modder.vbs runs, and add the setting if it's missing. As a note: PP is extremely powerful rule management tool, and it's been my experience that asking question in the snort-users group will get answers faster than in the pullerpork-users group.

Can you go to the Snort users list and ask, I'm not sure why it's not logging. They may be getting to the database, but possibly not showing in the security console? Let us know if you get it figured out. Working on Pulledpork right now, there is a problem and I'm trying to get it to complete ;(

Not sure as it looks like the hosts file was corrupted prior to the modder.vbs inserting its line. Looks like a localized incident but will note it, and see if it appears again. Thanks...

Not sure about the hosts without a screen shot. Fixed the space in the other issue. Thanks...

Make SURE you have installed all the updates from the Windows update server, and make sure you are executing the modder.vbs from a command window that has administrator privileges. If the above is true then: Open the modder.vbs file and change line 12 to: getVersionNumber = 6.1

Open a CMD window and type: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion Note: you should get something like the below. In this case the "CurrewntVersion" number is 6.9. You should be seeing something different "CurrentVersion" because of the warning message received. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentVersion REG_SZ 6.9 Open the 'modder.vbs' file with a text editor. Go to line 16 and add the new "CurrentVersion" number, and save the file. Example below is based on the "CurrentVersion" of 6.9 above: Case 6.0, 6.1, 6.2, 6.3, 6.9:

So it appears it is working correcty. Did you run the .reg file, and did you modify it to reflect the path changes before running it?

This below is documented in the tutorial.   Have you moved the test.php to the d:winidsinetpubwwwrootbase folder and see if you can access that file through the browser?   You should zip up the C:WindowsSystem32inetsrv folder, and attach that along with your php.ini file.

Test the snort installation...   Go back to the section labeled Testing the Snort configuration and rules and complete. Post the output if it fails.   Configuration files should be attached, and not posted in a reply.

All fixed...

Let us know if it works and I can add that to the tutorial.

  Remote access is as simple as having the appropriate port opened on the master database to the outside world, and giving the remote client the appropriate permissions to connect to the master database. Keep in mind that this is NOT secure way to connect client to master, and Winsnort.com  has not tackled that in a tutorial, as it is an advanced option.   My guess is; if you have made sure that the default port of 3306 is open to the outside world on the master sensor, and it has been verified, then its most likely a user permission problem. You might want to setup a specific user account for remote access and adjust the barnyard2.conf for access.

If you are running Pulled Pork you do not want to manually run the create sid-map file. Pulled Pork will run it's own, more advavced utility during the process of updating the rules.

For some unknown reason this happens when configuring IIS, at random installs.

Yes, that could happen depending on copnnectivity. Also, manually delete all the files in all the temp folders.

Could be a few things:   1) No inteernet access 2) Trying to connect out through a proxy 3) the repository is down for some unknown reason

Go back to the tutorial and complete the section labled 'Testing the Snort configuration file'. Post the results.

Did you try: How manually to trigger TCP, IP, UDP, and ICMP for event testing ?   What were the results?

Did you try: >How manually to trigger TCP, IP, UDP, and ICMP for event testing

This is your line 349 output database: log, mysql, user=base password=123456 dbname=snort host=localhost sensor_name=WinIDS-Home This is what the line 349 should look like if the tutorial was followed output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Not sure what you have done as it appears you have changed critical switches. Correcting these should allow a connection to the MySQL database?

Attach you barnyard.conf file.     Attach you barnyard.conf file.

Is MySQL running as a service?   Can you login to the MySQL server from the command prompt.   Open a command window and type 'mysql -u snort -pl0gg3r' (less the outside quotes), and tap the Enter key.   Type exactly as shown above.   You should be dropped into a mysql CMD prompt.   Were you able to log into the MySQL server?